FCPA Enforcement Stresses One Central Theme: Proactive Compliance

by GAN Integrity on May 10th, 2018

FCPA Enforcement Stresses One Central Theme: Proactive Compliance

In November 2017, Deputy Attorney General Rod J. Rosenstein lifted the veil on the DOJ’s new FCPA Enforcement Policy. Although, qualifying the enforcement policy as ‘new’ is probably an exaggeration, since most of its stepping stones were laid by the FCPA Pilot Program – in effect since April 2016. The enforcement policy promises companies great gains, including steep penalty reductions and declinations, among others, provided that the requirements set out in the policy are met: A company must self-disclose violations, fully cooperate with authorities and remediate in a timely and appropriate manner.

Understanding the requirements of the FCPA Corporate Enforcement Policy:

Voluntary self-disclosure: The policy sets out some clear conditions for the legitimacy of a company’s disclosure of violations. A company self-disclosing a breach should do so as soon as the breach is detected and “prior to an imminent threat of disclosure or government investigation”. A company must also disclose all facts and names of individuals involved in the violation.

Full cooperation: The policy specifies that full cooperation is only considered when a company conducts an internal investigation and updates the DOJ on the investigation’s findings in a timely manner. All relevant facts pertaining to the violation, including the company’s personnel and third parties involved, must be gathered and disclosed. A company must also point out opportunities to obtain evidence to authorities, which are otherwise not available to the company itself. Documents relevant to the investigation as well as information on their provenance must be preserved, collected, and disclosed. The burden of de-conflicting investigative steps also falls on the company to ensure that the DOJ is able to proceed with its work.

Timely and appropriate remediation: A company must conduct a thorough analysis to identify the root causes underlying violations and thereafter appropriately remediate. Remediation takes many forms depending on the size and structure of the company. The policy, therefore, stresses the urgency of implementing an effective compliance program, yet also notes that a program may include a range of different controls, from a corporate culture of compliance, independent and qualified compliance resources to audits and third party due diligence.

What the DOJ offers provides a great deal of encouragement for companies considering self-disclosure. However, detecting corruption violations, in itself, requires having the right tools in place. Whether you are establishing a compliance program that will allow you to detect potential violations – and thereby be an eligible candidate to the DOJ’s offer – or you are remediating existing violations, meaningful compliance is, in both cases, what you need. As put by FCPA expert Bill Steinman, remediation also involves “taking a step back and asking fundamental questions about corporate ethics and culture writ large”.

That said, there is no magic formula to designing the perfect compliance program, and that is the embedded message of every document, guidance and other DOJ releases. Other best practices, including the ISO 37001, point to the same conclusion. An efficient compliance program is ongoing and vibrant, it’s a program that adapts as your business expands, as the world changes, and regulations evolve. That is the whole point of making room for ‘mistakes’ that come with self-disclosure, full cooperation, and appropriate remediation.

To borrow the words of sociologist Max Weber, the “ultimate end” of FCPA enforcement is to install a culture of proactive compliance. An effective compliance program will never bring the assurance that nothing will happen; it will, however, provide CCOs and executives with a clear picture of which risks are more likely to strike and alert you when they do. Enforcement authorities will evaluate your investment in those processes including how diligently have you conducted your risk assessment, which controls have you implemented, and when breaches do occur, how were they remediated.

Building a comprehensive structure for your compliance program is essential to effectively and efficiently mitigate risk. And while risks vary from one company to another based on industry, location, and partners – thereby disqualifying any one-size-fits-all compliance program – the underlying structure of a program can, to a reasonable extent, be broken down into a set of components.